A hacked WordPress site or malware problem in wordpress is Frustrating, but following these steps can help you Fix Hacked WordPress Site & Remove Malware WordPress. Here is a detailed guide to recovering and securing your website:
Table Of Contents
- 1 1. Hire an Expert if You Are a Rookie
- 2 2. Backup Your Website
- 3 3. Replace .htaccess With the Default One
- 4 4. Deactivate All WordPress Plugins
- 5 5. Switch to a Default Theme
- 6 6. Reupload WordPress Core Files
- 7 7. Restore Default wp-config.php
- 8 8. Check for Custom .htaccess Files in wp-content to fix hacked WordPress
- 9 9. Scan for Malware With Wordfence
- 10 Conclusion
1. Hire an Expert if You Are a Rookie
If you’re unfamiliar with WordPress troubleshooting, hiring a WordPress security expert can save you time and prevent further damage. Professionals have the tools and expertise to identify vulnerabilities, clean up infected files, and implement strong security measures. While this may cost money, it often prevents further issues and ensures your website is fully restored and protected.
2. Backup Your Website
Before making any changes, create a complete backup of your website to ensure you have a fallback option. Ask your hosting provider for help but This includes:
- Database: Use tools like phpMyAdmin or a backup plugin to export a copy of your database. This is critical for retaining user data, posts, and settings.
- Files: Access your server via FTP or a file manager and download all site files. A plugin like UpdraftPlus or BackupBuddy can also help automate this process.
Regular backups are essential not only for emergencies like hacks but also for routine maintenance.
3. Replace .htaccess With the Default One
The .htaccess file is a frequent target for hackers because it controls important server configurations. To replace it with the default WordPress version:
- Log in to your site via FTP or your hosting file manager.
- Navigate to your root directory (public_html) and edit the current
.htaccessfile. - replace its content with:
# BEGIN WordPress RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress
Replacing this file removes malicious code and restores proper functionality to your site.
4. Deactivate All WordPress Plugins
Plugins are often exploited by hackers to inject malware. To troubleshoot:
- Deactivate all plugins by renaming the
pluginsfolder using FTP or your hosting file manager, navigate to wp-content folder and find plugins folder, then rename it to
plugins.deactivate
to deactivate them all at once. - Check if your site’s issue is resolved.
- Reactivate plugins one at a time to identify the source of the problem. If a plugin is outdated or compromised, delete it.
- Download fresh copies of plugins only from trusted sources like the official WordPress Plugin Repository.
This process ensures that no infected plugins remain on your site, while your data and plugin settings remain intact.
5. Switch to a Default Theme
Themes can also harbor malicious code. To verify if your theme is the issue:
- using FTP , navigate to wp-content folder and find Themes folder, inside themes folder find your current theme then rename it to
mytheme.deactivatedeactivate it. - If the problem resolves, your theme is likely compromised. Delete it via the dashboard or FTP.
- Download a clean copy of your theme from a trusted source and reinstall it.
Switching to a default theme temporarily won’t affect your site’s content but helps isolate the problem.
6. Reupload WordPress Core Files
Corrupted core files are a common issue in hacked sites. To restore them:
- Download the latest version of WordPress from WordPress.org.
- Extract the downloaded files to your computer.
- Using FTP, upload everything except the
wp-contentfolder to your site’s root directory (public-html). - Overwrite the existing files when prompted.
This step replaces corrupted files while preserving your content, themes, and plugins.
7. Restore Default wp-config.php
The wp-config.php file contains critical site configuration settings some malwares make changes to it. If compromised follow these steps to fix hacked wordpress website:
- Locate the
wp-config.phpfile in your root directory via FTP. - Copy them database name, username, password, host and prefix from your current wp-config file.
- Replace it with the default
wp-config-sample.phpfile from a fresh WordPress installation:<?php /** * The base configuration for WordPress * * The wp-config.php creation script uses this file during the installation. * You don't have to use the website, you can copy this file to "wp-config.php" * and fill in the values. * * This file contains the following configurations: * * * Database settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/ * * @package WordPress */ // ** Database settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'database_name_here' ); /** Database username */ define( 'DB_USER', 'username_here' ); /** Database password */ define( 'DB_PASSWORD', 'password_here' ); /** Database hostname */ define( 'DB_HOST', 'localhost' ); /** Database charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8' ); /** The database collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' ); /**#@+ * Authentication unique keys and salts. * * Change these to different unique phrases! You can generate these using * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}. * * You can change these at any point in time to invalidate all existing cookies. * This will force all users to have to log in again. * * @since 2.6.0 */ define( 'AUTH_KEY', 'put your unique phrase here' ); define( 'SECURE_AUTH_KEY', 'put your unique phrase here' ); define( 'LOGGED_IN_KEY', 'put your unique phrase here' ); define( 'NONCE_KEY', 'put your unique phrase here' ); define( 'AUTH_SALT', 'put your unique phrase here' ); define( 'SECURE_AUTH_SALT', 'put your unique phrase here' ); define( 'LOGGED_IN_SALT', 'put your unique phrase here' ); define( 'NONCE_SALT', 'put your unique phrase here' ); /**#@-*/ /** * WordPress database table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! * * At the installation time, database tables are created with the specified prefix. * Changing this value after WordPress is installed will make your site think * it has not been installed. * * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/#table-prefix */ $table_prefix = 'wp_'; /** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. * * For information on other constants that can be used for debugging, * visit the documentation. * * @link https://developer.wordpress.org/advanced-administration/debug/debug-wordpress/ */ define( 'WP_DEBUG', false ); /* Add any custom values between this line and the "stop editing" line. */ /* That's all, stop editing! Happy publishing. */ /** Absolute path to the WordPress directory. */ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); } /** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php'; - Edit the file to include your database name, username, password, and host. Save it as
wp-config.php. - Upload the file back to your server.
This step restores a clean configuration while retaining your database connection and probably fix hacked wordpress website.
8. Check for Custom .htaccess Files in wp-content to fix hacked WordPress
Malware often places .htaccess files in subdirectories to perpetuate the attack. To clean:
- Use FTP to explore all subfolders in
wp-content, includingthemes,plugins, anduploads. - Delete any
.htaccessfiles found. - Repeat this process until all suspicious
.htaccessfiles are removed.
Clearing these files prevents malware from reactivating itself.
Very Important Note: DO NOT REMOVE MAIN HTACCESS FILE IN PUBLIC_HTML FOLDER. We are discussing about wp-content htaccess files not the main one.
9. Scan for Malware With Wordfence
After cleaning your site, perform a comprehensive malware scan to ensure no threats remain:
- Install and activate the Wordfence security plugin.
- Run a full site scan to identify malicious files, backdoors, and vulnerabilities.
- Use the “Find and Replace” feature to clean infected files. Avoid outright deletion to prevent breaking your site.
Wordfence also provides a firewall and real-time protection to safeguard your site against future attacks.
Conclusion
By following these steps carefully, you can restore your WordPress site and secure it against future attacks. Regular backups, updates, and using trusted plugins/themes will go a long way in keeping your site safe. you can also read our WordPress Security article to secure your wordpress website entirely.